Sometimes, issues may arise when configuring a virtual router, such as port forwarding not working or potential problems with rule configurations. You may also need to check router logs, verify channel operation, or perform network diagnostics. This article describes methods and solutions for troubleshooting these issues independently without contacting technical support.
Setting Up Access to the Virtual EDGE Router
First, we need to configure access to the virtual EDGE router.
-
Go to its services and navigate to the EDGE Settings tab.
-
Enable SSH Status, set a password, and save the changes.
If strict Firewall rules are in place (where everything is blocked by default), add a rule allowing SSH connections to the router:
Next, connect using an SSH client (e.g., PuTTY) to access the console.
Available Diagnostic Commands
To list all available commands, use:
Useful Commands for Troubleshooting
-
show interface– Displays available interfaces and their assigned IP addresses. -
show log– Shows router logs. -
show log follow– Displays logs in real time with continuous updates.-
Each rule (NAT or Firewall) has an Enable logging option. When enabled, events are recorded in the log, aiding diagnostics.
-
-
show flowtable– Shows the entire connection table with parameters.
1: tcp 6 21599 ESTABLISHED src=9X.107.69.XXXX dst=178.170.172.XXX sport=59365 dport=22 pkts=293 bytes=22496 src=178.170.172.XXXX dst=91.107.69.173 sport=22 dport=59365 pkts=206 bytes=83569 [ASSURED] mark=0 rid=133427 use=1.
-
show flowtable topN 10– Displays a specified number of entries (e.g., 10). -
show flowtable topN 10 sort-by pkts– Sorts connections by packet count (ascending). -
show flowtable topN 10 sort-by bytes– Sorts connections by data volume (ascending). -
show flowtable rule-id ID topN 10– Filters connections by a specific rule ID. -
show flowtable flowspec SPEC– Allows flexible filtering (e.g.,proto=tcp:srcip=9Х.107.69.ХХХ:sport=59365).
Example:
> show flowtable flowspec proto=tcp:srcip=90.107.69.171:sport=59365
1: tcp 6 21599 ESTABLISHED src=9X.107.69.XX dst=178.170.172.xxx sport=59365 dport=22 pkts=1659 bytes=135488 src=178.170.172.xxx dst=xx.107 .69.xxx sport=22 dport=59365 pkts=1193 bytes=210361 [ASSURED] mark=0 rid=133427 use=1
Total flows: 1
-
show packet drops– Shows packet drop statistics.
-
show firewall flows– Displays firewall packet counters along with traffic flows.
In the same way we can use basic network diagnostics tools directly from the EDGE router:
-
ping ip WORD– Standard ping.
-
ping ip WORD size SIZE count COUNT nofrag– Ping with custom packet size, count, and no fragmentation. -
traceroute ip WORD– Standard traceroute.
Firewall Diagnostics on EDGE
-
Run
show firewalland check custom filtering rules in the usr_rules table. -
Inspect the POSTROUTING chain and monitor DROP counters.
-
If asymmetric routing is an issue, DROP values will increase.
-
Additional checks:
-
Ping works in one direction but not the other.
-
Ping works, but TCP sessions fail to establish.
-
-
-
Check IP addresses with
show ipset. -
Enable logging for the firewall rule in EDGE Services.
-
Monitor events in real time with
show log follow. -
Check connections by rule ID:
show flowtable rule_id. -
Compare active connections (Current Flow Entries) with maximum capacity (Total Flow Capacity) using
show flowstats.-
For configuration limits, refer to NSX Edge – Specifications & Performance.
-
For details on packet capture (PCAP) on EDGE, see Part 2.
